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DETAILED ACTION 



1. 



This action is responding to application papers filed on 7-2-2007. 



2. 



Claims 1 - 28 are pending. Claims 1, 13, 22 are independent. 



Response to Arguments 



3. Applicant's arguments filed 7/2/2007 have been fully considered but they are not 
persuasive. 

3.1 Applicant argues that the referenced prior art does not disclose, denying network 
access to a VPN capable end system before a user on the end system becomes 
authenticated, (see Remarks Page 2); performing the denying and permitting steps of 
claim 1 on an end system, (see Remarks Page 4) 

The Cheline prior art discloses that network-access is only enabled (allowed) after 
the completion of an authentication procedure, therefore, network-access must not be 
allowed (denied) before authentication. This disclosure satisfies the requirement that 
network access is denied before authentication, (see Cheline paragraph [0049], lines 1- 
4; paragraph [0049], lines 8-14: access to server side from client side allowed if 
authentication is valid, access not allowed be authentication is successful; paragraph 
[0027], lines 10-15: only access VPN after authentication, access denied before 
authentication) 

Applicant indicated that the prior art states that the radius software is part of the 
modem, (see Cheline paragraph [0043], lines 15-16: RADIUS software) The location 
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of the RADIUS software does not remove the fact that network access is only allowed 
after authentication is successful. In any event, the Cheline prior art actually discloses 
that the RADIUS client software is preferably located on the modem but the RADIUS 
client software may not be located on the modem. This is stated as a preference for 
ease of use not a requirement. 

RADIUS is defined as, "The de facto standard protocol for authentication servers 
(AAA servers). Developed by Livingston Enterprises (later acquired by Lucent). 
RADIUS uses a challenge/response method for authentication." (http://computing- 
dictionary.thefreedictionary.com/radius) RADIUS is merely a protocol utilized to 
complete an authentication procedure between a client and a server. The actual 
access control information exists on the client and the server (authentication) systems, 
and network access is enabled between the client and the server. 

The referenced prior art discloses the claim limitation of access only after 
authentication. 

3.2 Applicant argues that the referenced prior art does not disclose, permitting 
network access by the end system solely on at least one VPN connection to an 
enterprise network once the user on the end system becomes authenticated, (see 
Remarks Page 3) 

The Cheline prior art discloses that network access between the two systems (the 
end system and the enterprise (server system)) is based on at least one VPN 
communications connection, (see Cheline paragraph [0015], lines 2-10; paragraph 
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[0016], lines 1-4; paragrapli [0016], lines 14-17: VPN communications authenticated 
and setup between a client and server) Communications between the end user and 
the enterprise utilizes VPN connections (at least one or maybe more). The claim 
limitation only mentions network access between an end system and the enterprise 
system. The claim limitation does not disclose anything about other network accesses 
by the client (end) system or other end systems. The claim limitation only states that 
network access between an end system and an enterprise network (server system) is 
solely based on at least one (maybe more) VPN connection. 

The referenced prior art discloses the claim limitation of secure network 
communications by at least one VPN connection. 

3.3 Applicant argues that the referenced prior art does not disclose, permitting write 
access to the end system solely to at least one temporary memory while the VPN 
connection is active, (see Remarks Page 3); purging the temporary memory once the 
VPN connection becomes inactive, (see Remarks Page 4); directing data writes to a 
RAM disk on the end system, (see. Remarks Page 4) 

The Cheline prior art discloses memory utilization by the end system while 
communications is active. Memory is a standard part of any computer system (whether 
designated either as a client or a server). Memory is the electronic holding place 
(shorter synonym for random access memory (RAM)) for instructions and data that your 
computer's microprocessor can reach quickly. When your computer is in normal 
operation, its memory usually contains the main parts of.the operating system and some 
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or all of the application programs and related data that are being used (related data: 
including VPN data). 

(http://searchmobilecomputing.techtarget.eom/sDefinition/0,, sid40_gci212546,00.html) 
Memory is utilized as a work buffer (data reads, data writes) for applications such as 
VPN communications applications on client systems. 

The Cheline prior art discloses computer systems for client and server systems. 
The claim limitation discloses utilizing a memory (random access memory) for data 
writes (storage of data, buffer space). The Cheline prior art discloses the capability to 
write data (application related data) into memory utilized for storage such as buffer 
space for applications such as a VPN communications application, (see Cheline 
paragraph [0015], lines 2-7; paragraph [0031], lines 3-5: VPN capable client system 
(computer, handheld device)) 

The referenced prior discloses the claim limitation. 

3.4 Applicant argues that the referenced prior art does not disclose, restarting or 
shutting down the end system once the VPN connection becomes inactive, (see 
Remarks Page 5) 

There is no indication in the claim limitation that a restart is part of the VPN 
termination procedure. The limitation merely states that at some point after the 
termination of the VPN connection, the end system restarts. The Cheline prior art 
discloses the capability for a system restart or reboot, and the Cheline prior art 
discloses the capability to terminate a VPN connection when inactive. The Cheline prior 
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art discloses the capability for a VPN connection (see Cheline paragraph [0015], lines 2- 
10: VPN connection, client-server; paragraph [0076], lines 1-6: terminate VPN, session 
inactive), and the capability to perform a reboot (system restart) procedure (see Cheline 
paragraph [0065], lines 1-3: system reboot capability) 

3.5 Applicant argues that the referenced prior art does not disclose, operating system 
softv\/are on or for a VPN capable end system, (see Remarks Pages 5, 6) 

The Cheline prior art discloses an Operating System for controlling software on a 
prior art system, (see Cheline paragraph [0047J, lines 6-10: OS) The client or end 
system is disclosed as a computer system, which is controlled by an Operating System 
(OS) whether a PC or a PDA type device, (see Cheline paragraph [0015], lines 2-7; 
paragraph [0031], lines 3-5: VPN capable client system (computer, handheld)) Both 
computer systems (client (end system), server) are VPN capable systems, (see 
Cheline paragraph [0015], lines 2-10: VPN system) 

3.6 Applicant argues that the referenced prior art does not disclose, dropping packets 
that are not associated with the VPN connection, (see Remarks Page 6) 

The Cheline and Nguyen prior art combination disclose dropping data packets, 
which are not destined for the VPN connection or are designated as suspicious data 
packets, (see Nguyen paragraph [0954], lines 1-7: VPN technology; paragraph [0978], 
lines 4-7; paragraph [0979], lines 11-15; paragraph [1087], lines 14-17: invalid packets, 
not associated with application (FTP, VPN) connection dropped, also unapproved 
connections dropped (not initiated)) 
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3.7 The examiner lias considered the applicant's remarks concerning a thin client 
VPN capable end system denied network connectivity except for conducting VPN 
sessions, and the end system directs all data writes during VPN sessions to a 
temporary memory that is purged at the end of the session. Applicant's arguments 
have thus been fully analyzed and considered but they are not persuasive. 

After an additional analysis of the applicant's invention, remarks, and a search of 
the available prior art, it was determined that the current set of prior art consisting of 
Cheline (20030041 136) and Nguyen (20030172145) discloses the applicant's invention 
including disclosures in Remarks dated June 2, 2007. 

Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S. C. 102(e) 
that form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by 
the applicant for patent, except that an international application filed under the treaty defined in 
section 351 (a) shall have the effects for purposes of this subsection of an application filed in the 
United States only if the international application designated the United States and was published 
under Article 21(2) of such treaty in the English language. 

5. Claims 1 - 5, 7 - 15, 17 - 24, 26 - 28 are rejected under 35 U.S.C. 102(e) as 
being anticipated by Cheline et al. (US PGPUB No. 20030041136). 
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Regarding Claims 1, 22, Cheline discloses a method for reducing the vulnerability of 
an enterprise network to a malicious code attack from a virtual private network (VPN) 
capable end system, comprising: 

a) denying network access to a VPN capable end system before a user on the end 
system becomes authenticated; (see Cheline paragraph [0043J, lines 1-8; 
paragraph [0069], lines 4-11: access only after user authentication) 

b) permitting network access by the end system solely on at least one VPN 
connection to an enterprise network once the user on the end system becomes 
authenticated; (see Cheline paragraph [0049], lines 8-14; paragraph [0071], lines 
1 -3: access only after user authentication) and 

c) permitting write access to the end system solely to at least one temporary 
memory while the VPN connection is active, (see Cheline paragraph [0049], lines 
11-14: transfer of information between systems) . 

Regarding Claim 2, Cheline discloses the method of claim 1 , wherein the recited steps 
are performed on the end system, (see Cheline paragraph [0043], lines 1-8; paragraph 
[0069], lines 4-11; paragraph [0049], lines 8-14; paragraph [0071], lines 1-3; paragraph 
[0049], lines 11-14: VPN setup, users authenticated, data access enabled) 

Regarding Claims 3, 14, 23, Cheline discloses the method of claim 1, further 
comprising the step of purging the temporary memory once the VPN connection 
becomes inactive, (see Cheline paragraph [0076], lines 1-6: VPN torn down, tunnel 
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disconnected, security information in temporary memory removed) 

Regarding Claims 4, 15, 24, Cheline discloses the method of claim 1, further 
comprising the step of authenticating the user, (see Cheline paragraph [0049], lines 8- 
14: authenticate user) 

Regarding Claim 5, Cheline discloses the method of claim 4, wherein the 
authenticating step comprises a two factor user authentication, (see Cheline paragraph 
[0027], lines 8-15: two factor authentication, 1: userld and password, 2: digital 
certificates) 

Regarding Claim 7, Cheline discloses the method of claim 1 , wherein the step of 
permitting write access comprises directing data writes to a RAM disk on the end 
system, (see Cheline paragraph [0071], lines 1-3: VPN access to end system enabled) 

Regarding Claims 8, 17, 26, Cheline discloses the method of claim 1 , further 
comprising the step of logging the user off the end system once the VPN connection 
becomes Inactive, (see Cheline paragraph [0076], lines 1-5: logoff, VPN disconnected 
or inactive) 

Regarding Claim 9, Cheline discloses the method of claim 1, further comprising the 
step of restarting the end system once the VPN connection becomes inactive, (see 
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Cheline paragraph [0076], lines 1-5: relogon, restarting end system) 

Regarding Claims 10, 19, 28, Cheline discloses the method of daim 1, further 
comprising the step of shutting down the end system once the VPN connection 
becomes inactive, (see Cheline paragraph [0076], lines 10-14: VPN disconnected, 
tunnel torn down) 

Regarding Claim 11, Cheline discloses the method of claim 1, wherein the VPN 
connection becomes inactive through an action initiated on the end system, (see 
Cheline paragraph [0076], lines 7-8: logoff, action initiated by user) 

Regarding Claim 12, Cheline discloses the method of claim 1, wherein the VPN 
connection becomes inactive through an action initiated external to the end system, 
(see Cheline paragraph [0076], lines 1-5: timeout (i.e. action external to system), VPN 
disconnected (i.e. inactive)) 

Regarding Claims 13, 20, 21, Cheline discloses a virtual private network (VPN) 
capable end system, comprising: 

a) at least one permanent memory; (see Cheline page 11, claim 13: computer- 
readable medium, memory, storage) 

b) at least one temporary memory; (see Cheline paragraph [0058], line 1 : temporary 
memory) 
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c) at least one processor coupled to the permanent memory and the temporary 
memory; (see Cheline paragraph [0047], lines 1-3: processor) and 

d) operating software stored oh the permanent memory, the operating software 
having instructions executable by the processor to deny network access to the 
end system before a user on the end system becomes authenticated and, once 
the user on the end system becomes authenticated, to permit network access by 
the end system solely on at least one VPN connection to an enterprise network 
and permit write access solely to the temporary memory while the VPN 
connection is active, (see Cheline paragraph [0047], lines 6-20: operating system 
software, perform functions; page 11, claim 13: computer-readable medium) 

Regarding Claim 16, Cheline discloses the end system of claim 13, wherein the 
operating software has instructions executable by the processor to restart the end 
system once the VPN connection becomes inactive, (see Cheline paragraph [0076], 
lines 1-5: relogon (i.e. restart) end system) 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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7. Claims 6, 16, 25 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Cheline in view of Nguyen et al. (US PGPUB No. 20030172145). 

Regarding Claims 6, 16, 25, Cheline discloses the method of claim 1, wherein the step 
of permitting network access, (see Cheline paragraph [0071], lines 1-3: enable network 
access, VPN) Cheline does not specifically disclose dropping packets that are not 
associated with the VPN connection. However, Nguyen disclose wherein dropping 
packets that are not associated with the VPN connection, (see Nguyen paragraph 
[0954], lines 1-7: VPN technology; paragraph [0978], lines 4-7; paragraph [0979], lines 
11-15; paragraph [1087], lines 14-17: invalid packet, not associated with VPN 
connection dropped, unapproved connections dropped) 

It would have been obvious to one of ordinary skill in the art to modify Cheline as 
taught by Nguyen to enable the capability to drop packets that are not associated with 
the VPN connection. One of ordinary skill in the art would have been motivated to 
employ the teachings of Nguyen in order to enable the ciapability to leverage the 
Internet for useful and vital business activities, (see Nguyen paragraph [0029], lines 1 - 
8: "... For enterprises and service providers alike, knowing how to leverage ttie Internet 
for more than mere Web advertising and e-mail access may be vital to remaining 
competitive in today's increasingly Net-driven markets. Successful service providers 
and commercial enterprises may differentiate themselves by the way they use Internet 
technology to rapidly create and deploy new services and implement new business 
models. ... ") 
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Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carlton V. Johnson whose telephone number is 571- 
270-1032. The examiner can normally be reached on Monday thru Friday , 8:00 - 
5:00PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on 571-272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




Carlton V. Johnson 

Examiner 

Art Unit 2136 



